Data Processing Agreement
Effective date: 1 January 2025 · Version 1.0
1. Definitions
In this DPA the following terms have the meanings set out below. Terms not defined here have the meanings given in the applicable Terms & Conditions.
- "Applicable Data Protection Law" means, as relevant: (i) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR") and its national implementations; (ii) the UK GDPR; (iii) the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) as amended by the CPRA ("CCPA"); and any other applicable data protection legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed under the Services.
- "Processing" has the meaning given to it in Applicable Data Protection Law.
- "Data Subject" means a natural person whose Personal Data is processed.
- "Sub-processor" means any processor engaged by Sparkle5 to process Personal Data on the Controller's behalf.
- "Services" means the managed hosting and associated services described in the Terms & Conditions.
2. Scope and Role of the Parties
The Controller determines the purposes and means of processing Personal Data of its end users ("Platform Users") via the hosted dating platform. Sparkle5 acts solely as a Processor with respect to Platform User data and processes it only on documented instructions from the Controller. With respect to client account and billing data, Sparkle5 acts as an independent Controller.
3. Details of Processing
| Item | Detail |
|---|---|
| Subject matter | Operation of the white-label dating platform on behalf of the Controller |
| Duration | For the term of the Services agreement plus any post-termination retention period required by law |
| Nature of processing | Storage, retrieval, transmission, moderation (automated AI + manual), analytics, backups, security monitoring |
| Purpose | Provision of the hosted dating platform including user account management, matching, messaging, payments, and content moderation |
| Categories of data | Profile data (name, age, gender, photos, location, preferences); account credentials; device and usage data; in-app messages; payment metadata; moderation logs |
| Special categories | Sexual orientation and preferences (implicit in dating context) — processed only to the extent the Controller's end users voluntarily disclose such information |
| Data subjects | End users of the Controller's dating platform |
4. Processor Obligations
Sparkle5 shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law;
- Ensure that persons authorised to process the data are bound by confidentiality obligations;
- Implement the technical and organisational security measures set out in Section 7;
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests within the timescales required by Applicable Data Protection Law;
- Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach affecting Platform User data;
- Make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or its mandated auditors, subject to reasonable prior notice and confidentiality obligations;
- Upon termination of the Services, delete or return all Personal Data to the Controller, and delete existing copies, unless applicable law requires retention.
5. Controller Obligations
The Controller warrants that:
- It has a valid legal basis under Applicable Data Protection Law for each category of Personal Data processed via the Services;
- It has provided all required notices and obtained all required consents from Platform Users;
- It will provide Sparkle5 with complete and accurate processing instructions;
- Its instructions to Sparkle5 will not cause Sparkle5 to violate Applicable Data Protection Law.
6. Sub-processors
The Controller grants Sparkle5 general authorisation to engage Sub-processors. The current list of approved Sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Infrastructure provider | Server hosting and object storage | EU / US / SG (per Controller's region selection) |
| SMTP2GO | Transactional email delivery | EU (SMTP2GO EU data centre) |
| Payment processor | Subscription billing and invoicing | US / EU |
Sparkle5 will provide at least 14 days' prior written notice before adding or replacing a Sub-processor. The Controller may object to such changes on reasonable grounds within that period; if the parties cannot resolve the objection, the Controller may terminate the Services.
7. Security Measures
Sparkle5 implements and maintains the following technical and organisational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
- Firewall rules restricting access to databases and internal services;
- Role-based access controls and mandatory two-factor authentication for all staff;
- Automated daily backups with point-in-time recovery;
- Intrusion detection, log monitoring, and anomaly alerting;
- Self-hosted AI-assisted content moderation for uploaded photos — moderation models run entirely within the client's dedicated server environment; no images or user data are transmitted to third-party AI providers;
- Regular dependency and security patching;
- Physical security delegated to the infrastructure provider's certified data centres (ISO 27001 / SOC 2).
8. International Data Transfers
Where Personal Data of EEA or UK Data Subjects is transferred to a country outside the EEA/UK, such transfers shall be subject to appropriate safeguards under GDPR Chapter V, including the EU Standard Contractual Clauses (Commission Decision 2021/914). The Controller may request a copy of the applicable SCCs by contacting support@sparkle5.com.
For California residents: Sparkle5 does not "sell" or "share" Personal Data as those terms are defined in the CCPA/CPRA. Platform Users whose data is processed under this DPA may exercise CCPA rights by contacting the Controller (the business that operates the dating platform).
9. Data Subject Rights Assistance
Sparkle5 shall provide reasonable assistance to enable the Controller to respond to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) within the applicable statutory timeframes. Where a Data Subject contacts Sparkle5 directly, Sparkle5 will promptly redirect the request to the Controller.
10. Data Breach Notification
In the event of a confirmed Personal Data breach affecting Platform User data, Sparkle5 will notify the Controller within 72 hours of becoming aware of the breach and will include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
11. Deletion and Return of Data
Upon expiry or termination of the Services, Sparkle5 will, at the Controller's election and within 30 days of written request:
- Return a copy of all Personal Data in a standard exportable format; and/or
- Securely delete all Personal Data and certify such deletion in writing.
Residual copies in automated backup systems will be overwritten in the ordinary course of the backup rotation schedule (maximum 90 days).
12. Governing Law and Disputes
This DPA is governed by the same law that governs the Terms & Conditions (Wyoming, USA). However, to the extent that Applicable Data Protection Law requires a different governing law for specific provisions (e.g., GDPR enforcement in an EU member state), those mandatory provisions shall apply.
13. Contact
Data protection enquiries, Data Subject rights requests directed to Sparkle5, and audit requests should be sent to:
E-mail: support@sparkle5.com